GET VPN KEK TEK

999

Views

Helpful

Replies

Hello,

I have a few questions concerning the solution GETVPN.

Could you please tell me if the Keys TEK and KEK are preshared keys or asymetrical ones ( RSA)

In an example of configuration for KS, i see an the IKE session used to register an GM :
"
crypto isakmp policy 10
authentication pre-share
!
crypto isakmp key 0 cisco address X.X.X. ! Central router
crypto isakmp key 0 cisco address Y.Y.Y.Y ! GM-1 router
"

But i have a doubt concerning the KEK and TEK keys :

In the same example of configuration, i see a RSA declaration
"crypto key generate rsa general-keys label GDOI_KEYS modulus 1024 exportable"
Are we talk here about the KEK key ?

If the answer is yes, i don't see any lines of configuration for the TEK key .Have you some examples of configuration for the TEK key upon the KS ?

Does The TEK key is a preshared key between the KS and the GM or not ?
Thanks for your answer
If you have any example of configuration i am interested in.

Regards

5 Replies 5

Neither KEK nor TEK are statically defined.

I suggest reading the DIG

http://www.cisco.com/c/dam/en/us/products/collateral/security/group-encrypted-transport-vpn/GETVPN_DIG_version_1_0_External.pdf

Hello Marcin,

Thanks for the link. The document includes a lot of information.

Concerning my questions, i see in the capter "2.2.3.2.1 Configuration using Multicast Transport Mechanism "

the command "rekey authentication mypubkey rsa getvpn-export-general " Do you think the key called is the KEK for the rekeys ?

In the configuration example of the document ( 2.2.2 and futher ), i don't see where is defined and transmitt the TEK key to the GM ?

Regards

RSA keys are used for authentication of new key materials and updates - that's why they are exportable. You can also have a RSA/cert authentication for IKE, but that's a different story .

TEK will be transmitted to GM using GDOI which is protected by IKE SA.

Inside the document you suggest me, i read chapter 2.2.1.2.1 that the the IKE session can be protected by preshared key :

crypto isakmp policy 10 authentication pre-share

crypto isakmp key Cisco address 172.18.5.2

crypto isakmp key Cisco address 172.19.1.2

crypto isakmp key Cisco address 172.20.2.2

Further in the configuration i read the use of  RSA:

rekey authentication mypubkey rsa getvpn-export-general
I imagine that this key( public/private )  is used for rekey messages ( KEK key), don't you think so ?
 
Besides, concerning the TEK key , as you explain me this key is sent inside the GDOI. Do you think is it normal that we can't see any configuration lines for it ? Perhaps, it is an hidden key from thez KS to the GM ?
 
Regards

As I said, neither TEK nor KEK will pop up in the configuration, it should be dynamically generated a session key, if you will.

Yes you can use PSK or RSA for IKE authentication.

The RSA key you indicate in GDOI is used to authenticate messages (rekey mostly, but others too, if memory serves well) from KS.

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide